QUADIENT // 2021 Universal Registration Document

5 NON-FINANCIAL PERFORMANCE STATEMENT Social, societal, and environmental information

Initiatives

2021 Results

Review of internal email compliance practices to • implement an Email Compliance Policy applicable to the marketing department across the NORAM, DACH-IT, UK-IE, FR-BNL and international markets Responding and implementing new GDPR (a) • requirements for international transfers of data outside the European Economic Area. More than 50 of employees have completed the • online training on information security and data privacy In 2021, worldwide training modules on information security and data privacy were launched on LinkedIn Learning for all employees, which included a video and a short quiz, explaining Quadient policies in these two domains ISO 27001 CERTIFICATION PROGRAM Quadient is currently rolling out a certification program based on the ISO 27001 standard, primarily covering sites whose business is the development of software solutions, infrastructures and their support. In 2021, eleven entities were ISO 27001 certified, and the cloud-based Inspire solution is also ISO 27017 and ISO 27018 certified. COMPLIANCE WITH DATA PRIVACY REGULATIONS Quadient is committed to processing personal information in accordance with applicable data privacy laws and regulations. Quadient’s also remains focused on reinforcing its foundation in data privacy areas to ensure the proper security, handling and disposal of data and personal information. According to its data privacy policy, Quadient collects, uses, and retains personal data when it is necessary to ensure the effective operations of the Company. Moreover, Quadient protects confidential and personal information entrusted by its customers, suppliers, and other business partners as carefully as it protects its own information. Additionally, a Data Council was established in 2020, led by the Company's Chief Transformation Officer and Chief Digital Officer and comprised of stakeholders across the organization to provide the proper governance, transparency and guidance related to these important issues. In 2021, a cross-functional data protection team has worked to accomplish the data privacy objectives. Notable achievements include: implementation and maintaining of a single record of processing to inventory and manage all Quadient processing activities; update of critical policies related to information security and data privacy; generalization of the usage of tools that could detect phishing; and extending the implementation of a global data incident management process. In addition, the Company continues to secure its relationships with its subcontractors by requesting the signature of companies’ data protection agreements, according to new EU model clauses. Full due diligence for Beanworks solutions was carried out to allow its compliance with GDPR requirements and allow its distribution in UK and EU. In 2021, there were no substantiated complaints concerning breaches of customer privacy and losses of customer data.

Personal data protection program complying with the data regulation

Training on information security and data privacy policies

(a)

General Data Protection regulation.

A WORLDWIDE INFORMATION SECURITY OPERATING MODEL The Company has defined security policies that detail the requirements for correct and secure use of its own data and data entrusted to Quadient by its stakeholders such as staff, customers, suppliers, and other partners. These security policies have been rolled out in all countries in which Quadient operates. They are mandatory and apply to all legal entities, employees, service providers and consultants working on company sites or to anyone with access to company systems. As part of its transformation, Quadient has implemented a global Information Security operating model. Core to this operating model is a specialist focus, ensuring that the Company has dedicated capabilities where security matters most: in protecting its customers, its employees and personal data that is entrusted to Quadient. The Company’s holistic approach means it consistently focuses on areas of the biggest risk with the means to effectively recover from security events should they happen. Quadient’s policies are practicable and designed to drive the right behaviors in its people and partners, complemented by effective global operating standards. The Company certifies to ISO standards to underpin its practices. The Director of Information Security chairs a Corporate Information Security Board to govern corporate information security activities. The Security Board meets quarterly and includes representation from Solutions Security teams, the Data Protection Organization, Corporate Compliance, Digital Organization and Corporate Information Security. This is the overarching Information Security technical governance authority within Quadient, reporting to the Quadient Executive Committee. Its role is notably to establish global information security objectives and priorities, perform global information security risk assessments, maintain Information Security policies, and create global awareness of Information Security Policies and safe working practices.

124

UNIVERSAL REGISTRATION DOCUMENT 2021